Blank out client screen on connect.

Hi,

Are you asking about the type of feature where you can make the physical screen black, while you remain in control of the computer remotely? This is not something we currently have.

Best regards,

Yes, it's a security requirement for us. That and being able to enforce 2FA, which is also makes this a no go for us unfortunately.

Can you tell me a bit more about your requirements for the black screen feature (sometimes called curtain mode)? You mentioned macOS, did you need it for macOS servers only, or Windows as well?

As for 2FA, I don't have an ETA on it, but we will get it done. 2FA support would be done with Office 365 / Azure AD federation in a private Wayk Den deployment. Would this be suitable for your requirements?

Best regards,

For both the privacy of our end users, and the protection of sensitive client documents we require that machines that are remotely accessed be able to enforce a curtain mode. We are a Mac shop, our end users need to be able to remotely access their Mac desktops from home. Most sensibly this would be enabled through Wayk Now, but 3 things are really holding back the possibility.

1. Lack of unattended access for MacOS - (I'm willing to be creative if I can manage things from a CLI if true unattended is too complex right now)
2. Lack of Curtain Mode for privacy
3. Lack of 2FA or modern external authentication (SAML or OAuth) that MFA could be enforced through. (I could throw it behind a cloud application proxy, but that's a burden)

Our IDP is GSuite so having Office365/Azure specific integrations would actually present an additional challenge having to dual host IDPs. Hopefully your intention is to just support SAML, then every IDP would be able to integrate with Wayk Den. SAML is preferable over LDAP which while GSuite supports LDAP, it does not allow for MFA. (Oauth or SAML only).

SAML is also preferable over GSuite's OAuth implementation because in GSuite only SAML apps or GSuite Marketplace apps are able to be added to their application launch menu/dashboard. (Although having both would be superior for a wider audience, OAuth is is so ubiquitous these days I question the motive of a company that doesn't support it.)

Also being able to manage the removal or addition of users/machines from a CLI/REST interface would also be great. Management from a web interface at scale is infeasible.

Thank you for your response, so from what I understand, you are connecting to macs from macs, and Windows is not part of your environment (or if it is, it is of lesser importance).

1) The Wayk macOS unattended mode is coming, I would expect a first release this September. We would reasonably expect this first public release to need further improvements as we iron out missing bits and pieces, as it was the case with our Windows and Linux unattended mode initial releases.

2) If we limit the curtain mode to macOS, there might actually be a shortcut for us to implement it quickly. I would have to try it out, but would the curtain mode from Apple Remote Desktop work for your use case? If so, I think we may be able to trigger it outside of Apple Remote Desktop to obtain the same result. I can't make any promises, but it would be the way I would approach this problem first.

3) I was afraid you were going to say that, most of our users are using Office 365 / Azure AD, which is why the current plan is to start with that. As for SAML, I would have to inquire about how 2FA would work in such a case, as opposed to OAuth federation. Let's say SAML support wasn't an issue - have you checked what it would take for you to set up your own private Wayk Den, and if this is the type of solution you would be willing to deploy in your environment?

You still have some time to try Wayk Den for free, as announced in this blog post:
https://blog.devolutions.net/2020/03/covid-19-announcing-wayk-den-including-unlimited-access-with-wayk-now-enterprise-free-for-6-months

One last question, because I am curious: since you are a Mac shop, I assume this would affect your choices in terms of solutions similar to Wayk Now. Do you have other products on your list of potential choices, and if so, what are they?

Best regards,

Hi,

Nevermind what I just said about the lock screen. It turns out to be much more complicated than I thought to re-use the lock screen application from the Apple Remote Desktop server. The server does call a helper application with a few parameters, but it also does some trickery with macOS user session management, so this is not something easily implemented by calling the right executable with the right parameters, unfortunately.

I'll keep the macOS curtain mode in mind, but it would likely require a fair amount of work to implement.

Best regards,

1. That's welcome news.
2. I believe it would, although you've got me thinking of how it would be neat to be able to run shell scripts on user connect/disconnect to trigger this. Just a thought.
3. Well the SAML specification really leaves it up to the IDP to handle any requirements for validating the user (2FA/MFA,Context Awareness etc), seeing as during this handshake the user is directed to the IDPs domain for validation, I would hope that it wouldn't present any additional complexity over what is already being looked into. I'm certain all diligence is being taken though for determining what is best. I did spin up a private Wayk Den instance following the documentation, impressively simple, lightweight, and fast. I would definitely be confident in deploying it to our live environment. Is there a particular reason for the question?
4. Marc-André, I cannot begin to explain how many hopeless hours have gone into looking for a reasonably priced remote solution that doesn't include MacOS as an afterthought.

Splashtop, Zoho Assist, Connect Wise Control, ISLonline, RemotePC are a subset of the 30 or so I looked at.

Price, external authentication, CLI/REST API management, features (multimonitor etc), integrations with our helpdesk, product aesthetic, protocol transparency, and other factors all went into the determination criteria, with an emphasis on being able to automate deployment and user/machine management.

1. Splashtop didn't support External authentication, or charged extra for it, but was was reasonably priced otherwise.
2. Zoho Assist doesn't support passing keyboard shortcuts (🤦) so we stopped looking at that, but was easy to use and browser based.
3. RemotePC was cheap, easy to deploy, but their support has been questionable. Machines have gone missing or have linked to other devices so they have DB issues...
4. ISLOnline, in all its magnificent glory, is outside our price range for our size, but would be a steal for a much larger company.
5. ConnectWise Control is the last product to look into. They support 5 forms of authentication including SAML and OAuth, connect with our helpdesk, support curtain mode, and are also fairly reasonably priced. It's still being evaluated, but my expectations are at an all time low in this market 😂.

I'll say this, I really, really appreciate that devolutions has an actively developed Powershell module to support their application. I find that to be a desirable trait, I see that as a sign that a company, cares enough to do that, has admirable motive to make their products simple to manage, and demonstrates to me that they're focused on delivering a quality product. I think the client has been lightweight and snappy to use even with the limitations on MacOS. I've spent a few days trying to find creative ways to over come those limitations, but I keep coming up short. If there were external authentication support, the ability to manage machines/users WaykDen users through that Powershell module, even without curtain mode this would be no contest. WaykNow would easily be top 3 based on all criteria. Automation, Security, and Cost being the most principally important features, Wayk Den would be without a doubt the top pick.

Performance between all these remote access applications are relatively the same, if Devolutions has some secret Chrome Remote Desktop-like sauce for creating responsive high-quality remote desktop sessions that's great, but if I also have to ensure I can automate these deployments at scale for security's sake. Especially with something as sensitive as remote access software. Ensuring account access can be stopped as apart of an automated termination work flow is of paramount importance, as much as the main product feature itself, which almost all of these remote access solutions seem to lack.

Thank you for the great feedback! It is definitely appreciated. I have a couple more questions and food for thought:

Regarding the macOS curtain mode, there is another possibility I haven't discussed: using the Apple Remote Desktop protocol to make a localhost connection to the target machine, and leverage some ready-made features of Apple Remote Desktop this way. The basic idea is that when connecting through Wayk Now, the Wayk Now server would make a localhost connection with ARD. The connection would still be done using our protocol, but by keeping this localhost ARD connection alive, we would use it from Wayk Now to trigger the ARD screen lock. This would be the macOS equivalent of our Wayk enhanced sessions on Windows: https://blog.devolutions.net/2020/05/announcing-enhanced-wayk-now-sessions-on-windows

Trying to keep things simple, it looks like this for Windows, using RDP to create new Windows sessions:
Windows: Wayk Client <- wayk protocol -> Wayk Server <- RDP protocol -> localhost

For macOS, it would look like this, except we would be using the ARD protocol to connect to localhost:
macOS: Wayk Client <- wayk protocol -> Wayk Server <- ARD protocol -> localhost

In the case of Windows, we use RDP mostly to create Windows user sessions (user session management is closely tried to RDP). For macOS, our primary goal would not be to use it for user session management (we could for a some of it, but not all, unfortunately), but we would definitely use it to leverage some of its features, like the screen lock. We would keep the connection alive, disable graphics to avoid wasteful localhost ARD traffic, and use mostly some of the control calls it offers.

Now this comes with one primary restriction: You would need to authenticate with a user that is authorized for Apple Remote Desktop connections. It's obvious when you think of it, since we would be authenticating locally with ARD with the credentials passed through Wayk Now. Would this restriction be acceptable?

I would also have to validate a few things like making sure that Wayk Now captures the right desktop image when the screen is locked through ARD, which would be a bummer if it doesn't (I haven't tried it yet). However, if it works, this is one way to approach the problem that could prove very useful in the future for other features.

I think I already know the answer, but I presume that the 80$ Apple Remote Desktop application (https://apps.apple.com/app/apple-remote-desktop/id409907375) didn't fare well in your product evaluation? It's outdated and its only "useful" update it had for the past 5 years is dark mode support, but it still has the advantage of being built-in to the operating system, which no other product can ever claim, unfortunately.

As for my question regarding Wayk Den, I just wanted to make sure that you knew it was a product you would need to deploy yourself, as there is no SaaS offering. We do have a public Wayk Den, but all the features are really only offered through private Wayk Den deployments. It doesn't seem to be a problem at all in your case :)

As for 2FA and SAML: if you had to choose between 2FA and SAML, which one would you pick? I'm asking because if we were to find a way to get 2FA without SAML that would be faster to implement, I need to know which part you needed the most (2FA or SAML). Getting 2FA through SAML is one way, but we'd need to get SAML support first.

Best regards,

Oh that's clever with ARD!

Now this comes with one primary restriction: You would need to authenticate with a user that is authorized for Apple Remote Desktop connections. It's obvious when you think of it, since we would be authenticating locally with ARD with the credentials passed through Wayk Now. Would this restriction be acceptable?

Oh that's not a problem in the slightest. As long as the keep alive session was also kept secure.

I think I already know the answer, but I presume that the 80$ Apple Remote Desktop application

Eh, we use ARD internally, but we want something that's simple for our End Users, branding and ease of use are important. Then we really don't wanna have to use a VPN or futz with ports for these connections. We do also have Windows servers and workstations, etc etc etc that we have to contend with so we're looking for the EZ all in one solution to keep everybody happy and everything centralized.

Also a remote access product like yours are more likely to support external authentication, so the added security/management bonus of being able to leverage our IDP to control access to these services is also why we're looking to third party vendors.

As for 2FA and SAML: if you had to choose between 2FA and SAML, which one would you pick?

Wayk Den provided 2FA combined with your existing LDAP support would be... "acceptable"; however, I really truly only see SAML as the only real solution. Everything has a user account these days, and being able to minimize the need for third part authenticators and avoid the tedium of setting up 2FA for every new service is important. This is especially true to our end users overall satisfaction with our IT services as a whole. It's not just a nice to have internally, the implications have an impact on the overall quality of life of our ends users as well. When it "just works" it's great for them, and makes people more productive when the behavior of technology is consistent and not in the way.

I would definitely want a way to Add/Remove/Disable/Assign for users/machines and at minimum terminate active sessions through command line to support any of these scenarios.

Maybe this is a "Unattended Access" feature, but I am using Wayk Now on MacOS and do not see it as an option. Is this available in unattended access mode on Windows? If not it should be an option.

when using unattended onto windows at least you can iirc set up wayk to open a virtual session so all happens in behind.

maybe unattended onto mac when it comes will have that too.



although obviously the question for me is how does it help the people you work with when you black out their screen, as in they basically being unable to do anything.

like the people you help should normally maybe see what happens on their PCs, and if you need some things the customer shouldnt see you open it locally on your side.

at the very least if you try to connect to someone and then want to blackout there screen there should imo be a very obvious permission prompt and a clear way to get the other one out again.

Hi My1,

If you had read the discussion above, you would have noticed that we were already discussing this possibility (adding support for sessions backed by ARD, which is the equivalent of RDP on macOS). Also, instead of speculating on what kind of features we might ship or not, I would appreciate if you could let us answer that and avoid confusing our users.

As for the black screen / curtain mode feature, it is a commonly found feature in other products. The primary goal of the curtain mode is to prevent a user with physical access to see the contents of the screen, which may contain confidential information. If you don't understand the need and context for this, I suggest you simply don't comment on it. We would rather take feedback from users who need this type of feature, not from users who fail to see the point in it because they don't need it in the first place.

Best regards,